Global abnormal correlation analysis for DDoS attack detection

Distributed detection mechanism of DDoS (distributed denial of service) attack is often achieved by the corporation between many detection nodes, its final detection result largely depends on the judgements of local nodes. While DDoS attack flows are distributed enough in many links, itpsilas hard to derive exact judgement for every node only by the information collecting from local, consequently impact the performance of whole detection system. Despite DDoS attack could be unaware in local, the inherent dependency among attack flows transiting in many links do exists. This paper proposes an abnormal correlation analysis method from a global perspective for DDoS attack detection deploying in the backbone network, via extracting anomalous space from network-wide traffic, analyzing the correlation across them, revealing attacks through the change of correlation. Analyzing the network-wide traffic simultaneously helps to discover attacks indistinctive in single node; moreover, utilizing the correlation between attacks, rather than the volume of attack purely, makes our method can overcome the difficulties in detecting relatively small attacks comparing to the tremendous traffic in backbone network. Simulations demonstrate that our method has benefit of detecting DDoS attacks while they are small in single link and is superior to other methods proposed in present literatures.